Undercover Agents Record Social Media Evidencetag:typepad.com,2003:post-6a00e553eadb2788340154360e71be970c2011-10-11T14:09:36-05:002015-12-06T11:13:06-06:00Legally Preserving OSINT (Open Source Intelligence) How should investigators record fast-changing online evidence, such as social media? Case in point: The Mercer County (New Jersey) Prosecutor’s office followed hundreds of street gang affiliates on Myspace. How did it do that economically? Instead of using seasoned, highly-trained police investigators, it commissioned...Benjamin Wright

Legally Preserving OSINT (Open Source Intelligence)

How should investigators record fast-changing online evidence, such as social media?

Case in point: The Mercer County (New Jersey) Prosecutor’s office followed hundreds of street gang affiliates on Myspace. How did it do that economically? Instead of using seasoned, highly-trained police investigators, it commissioned a team of mere interns. The interns, acting as undercover agents, “friended” target gang affiliates. One fake profile maintained by the interns attracted 180 “friends.”

Collecting evidence from that much online activity can be daunting. Several tools exist, and I’ve previously published demonstrations using webcams and downloaded software.

Free, Easy-to-Use Tools

Here’s another demonstration, which emphasizes low cost, easy-to-use tools. The tools are

screencast-o-matic, a free, Java-based, open-source tool for recording what you see on your screen, and

Microsoft’s free Skydrive file storage service.

Picture this hypothetical setting. The county sheriff’s office needs an efficient way to capture what is happening on a dynamic blog. Information on the blog at this minute could be changed or deleted a minute later. The sheriff’s office has no special equipment, but it does have two investigators who need to remain anonymous. They will be identified by numbers. Their voices will be recorded by microphone, but not their faces by webcam.

Two Witnesses Are Better Than One

The resulting screencast video is a unified package of evidence that captures the interaction of the web better than a mere sceenshot does. (Notice, for example, that the screencast video records the action at the beginning of the bad-guy video posted on the blog under investigation. A sceenshot would not capture this action.)

The two investigators corroborate the video and corroborate each other. Each investigator signs the video with the unique sounds of his voice. Each speaks the date and time with his unique, identifying voice.

The involvement of two investigator witnesses makes the Sheriff's Office less dependent on any single person to testify as to the authenticity of the video later, such as in court. Witnesses like interns can come and go.

Depending on the use of the video, an authority (such as a judge in a parole hearing) might rely on the video, signed by two witnesses, without requiring direct testimony from either of the witnesses on the video's authenticity.

Cloud Time Stamp

To further corroborate the date, the video is loaded onto Microsoft’s Skydrive. Skydrive (a third party cloud service) shows the time that the video was last modified.

Thus, if the video, dated by the witness voices as October 10, were uploaded on October 10 but then replaced October 25, there would be a mismatch of dates, suggesting that the video in Skydrive is not the one originally created by the investigators.

To further corroborate the date, the investigators could give the video to colleagues, who could store the video in their own time-stamped, cloud-based file-storage accounts.

Click Here

Auditors and Whistleblowers

The techniques demonstrated here could be applied outside law enforcement. They might be used by auditors, journalists, whistleblowers, public watchdogs, school administrators or private investigators.

Is this video absolutely unassailable as legal evidence? No. The two investigators could have colluded to make all of this up. But collusion is not easy. It requires coordinated lying by two equally unethical people.

It is rare for legal evidence to be perfect. This video is reasonably good.

Investigators Engage Public Via Social Mediatag:typepad.com,2003:post-6a00e553eadb27883401539209c16c970b2011-10-03T09:54:32-05:002011-10-03T10:01:26-05:00To be relevant, credible and accepted, many investigators need to engage with the public. Increasingly that means embracing social media like Twitter and Facebook as a two-way conversation with followers. Failure to interact via social media can leave an investigator looking arrogant and out of touch. Two examples: 1. Roanoke,...Benjamin Wright

To be relevant, credible and accepted, many investigators need to engage with the public. Increasingly that means embracing social media like Twitter and Facebook as a two-way conversation with followers. Failure to interact via social media can leave an investigator looking arrogant and out of touch. Two examples:

1. Roanoke, Virginia, police evacuate and search a shopping mall after report of a man with a gun. They do not find the man. They publish surveillance camera images of him on Facebook. Local TV news links to police department’s Facebook page. Facebook viewers debate whether suspect is carrying a gun or an umbrella. The man in question hears about the investigation and comes to police to show that he was carrying an umbrella. Tim Jones and Aisha Johnson, "Engaging the Public and Protecting Agencies and Personnel on Facebook and Beyond," The Police Chief 78 (July 2011): 58–61.

2. UK has experienced riots and social unrest, in part fomented by social media and anti-Muslim sentiments. West Midlands police saw that troublemakers, trying to attract a crowd to a rally in Dudley, tweeted, falsely: “Muslims with knives rioting in Dudley #EDL.” Many people retweeted. The police were monitoring this Twitter stream. Then the police tweeted, “There are no Muslims rioting in Dudley – all quiet #EDL” The public retweeted the police. This pattern of misinformation by the troublemakers, and refutation by the police continued. This police interaction helped to discredit the troublemakers and to dampen unrest in Dudley. “Social Media Handbook for Police: Part 12” (“EDL” refers to right-wing English Defence League.)

Evidence Authenticationtag:typepad.com,2003:post-6a00e553eadb2788340154352135c5970c2011-09-04T12:58:14-05:002011-10-12T18:52:22-05:00I am looking for cases and stories about digital evidence that had been collected but could not be used or authenticated (or at least became open to question) on account of problems like these: 1. Investigator could not vouch for the evidence due to the investigator's death, retirement, refusal to...Benjamin Wright

I am looking for cases and stories about digital evidence that had been collected but could not be used or authenticated (or at least became open to question) on account of problems like these:

1. Investigator could not vouch for the evidence due to the investigator's death, retirement, refusal to cooperate or termination of employment.

2. Investigator committed some kind of error related to his/her securing of the evidence with a digital hash, key or signature. Example: investigator used a private crypto key to "sign" a digital evidence file, but the private key was compromised either before or after its use and therefore the trustworthiness of the evidence diminished.

Have you seen any cases like this? Are any such cases documented?

The reason I am interested is that I've been experimenting with webcam "signed affidavits" by investigators. A signed affidavit might, for example, help to show that a video is authentic and has not been tampered with.

Mark Lachniet publishes an excellent paper titled “Hostile Forensics.” He argues that sometimes digital forensics investigators have reason to take actions that are legally and ethically provocative. He calls these actions “hostile forensics.”

Mark frames the topic: “Due to recent developments in counter-forensic technologies such as strong encryption, it may soon be necessary for forensic analysts to use system penetration or ‘hacking’ techniques in order to obtain forensic evidence, a process here referred to as ‘Hostile Forensics.’”

Mark distinguishes “hostile forensics” from traditional forensics. Here is an example of traditional forensics: An investigator analyzes data on a hard drive, with formal authorization from the owner of the drive. The investigator has consent from the person who put the data on the drive. The drive is in the physical possession of the investigator.

Here is an example of “hostile forensics,” as I interpret the idea: A publicly-accountable investigator, with justification, remotely interacts with a marveloustly complex cloud of computers, while having something less than formal authority from each owner of each computer. One or more of the computers is in part controlled (or influenced) by a suspicious-acting adversary of the investigator. The investigator’s purpose is to gather evidence that incriminates the adversary.

Mark offers numerous intelligent steps to help cause a “hostile forensics” investigation to fall on the side of good and not evil. He suggests, for instance, that the investigation be subject to detailed recordkeeping and tight supervision over individual investigators.

Hacking Back?

An idea related to “hostile forensics” is a style of computer secuurity that my fellow SANS Instructor John Strand calls “offensive countermeaures.” Sometimes John uses the term “hacking back.”

The range of actions that might qualify as "hostile forensics" or "offensive countermeasures" is huge, limited only by imagination. It includes much more than just the examples that Mark and John articulate.

Illegal?

Do “hostile forensics” or “offensive countermeasures” constitute computer crime? This is an exotic jungle of law, thick with nuance. Much of the law is open for interpretation. Simplistic interpretations of the law here are of little help.

In this field there's a lot of dubious folklore (e.g., "action X is always legal; action Y is always illegal").

In truth, the legality of any given action can be highly dependent on the facts of the particular case. Change the facts slightly from one case to the next, and the conclusion whether an action is legal can change.

Two Observations

I have two big picture observations. Neither of these observations is criticism of Mark or John, and neither of them passes judgment on any particular action.

1. Words Matter. When law and ethics are nuanced, the words we choose carry immense weight. The descriptions of an action can influence the understanding and treatment of the action. Subtlies are important.

(a) Choose Adjectives Carefully

I am reluctant to use the adjectives “hostile” or “offensive” to describe what Mark and John have in mind. Those adjectives carry emotional charges; those adjectives can be interpreted as negative. But Mark and John are talking about actions that are positive and not negative . . . good and not evil . . . legal and not illegal.

Therefore, under a given set of facts, an adjective like “justified,” “responsible” or “proportionate” might better describe an action.

(b) Choose Verbs Carefully

Well-meaning IT folks can be quick to use words like "penetrate" or "hack" or "strike-back" without carefully examining the definition of those words and without considering alternative words. Instead of the verbs "to penetrate" or "to hack," the more accurate verbs to describe an action may be "to confuse," "to tease," "to elicit" or "to regale." Example: "We regaled the adversary bots with a multitude of honeypots."

Alternatively, a more accurate description might be metaphorical. A security or investigative action might best be described as, say, “to depict a clever digital costume.” The reasons for this description might be that:

the action induces a suspicious person to believe something he did not expect and persuades him to reform his behavior or reveal evidence about himself; and/or

the action induces a malicious community of software, like a botnet, to perceive a new situation and persuades the community to reform its behavior or reveal evidence about itself.

2. Court Support. Mark mentions the idea of getting court approval, such as a search warrant, for “hostile” action by law enforcement. Good idea. Typically such approval would come after a government agent, such as prosecutor, requests the approval.

An alternative type of court approval might come from a civil lawsuit brought by a private party such as a corporation. Microsoft is a pioneer in bringing civil lawsuits against cyber adversaries, such as bot herders and spammers. Microsoft has gotten court approval for assertive actions against adversaries. A civil lawsuit might be brought in either state court or federal court.

3D Printing Forensicstag:typepad.com,2003:post-6a00e553eadb278834014e89acb132970d2011-07-07T14:18:55-05:002011-11-01T09:39:16-05:00Metadata in Micro-manufactured Products 3D printing creates physical objects as though they were units of digital data. It takes instructions from software to render physical objects by successively adding small points or layers of substance, one after the next. 3D printing will be a bonanza for digital forensics investigators, just...Benjamin Wright

Metadata in Micro-manufactured Products

3D printing creates physical objects as though they were units of digital data. It takes instructions from software to render physical objects by successively adding small points or layers of substance, one after the next.

3D printing will be a bonanza for digital forensics investigators, just as other digital technologies have been.

Digital artifacts -- like spreadsheet documents or digital photographs -- often contain metadata, such as timestamps and information about the source of the artifact (e.g., what software was used to create the artifact). Metadata is often hidden from view. Users are often surprised the metadata exists.

Metadata can be a treasure trove to a forensic investigator who inspects an artifact like a photograph. The investigator might, for instance, determine the time the photo was created, the type of camera that was used, its GPS location, the photo manipulation techniques employed and so on.

Metadata Surprises in History

History tells many stories of forensic investigators surprising the subjects of investigation with metadata. The more sensational stories involve technology that was new at the time, when the existence of metadata in the technology was little known.

* In the mid-1980s Col. Oliver North was surprised to learn that after he deleted e-mails, his deleted records were recoverable. In addition, the e-mail system he was using kept metadata indicating that he tried to delete relevant records while an investigation was pending.

* When product developers at one employer switched to a competitor, they took a Microsoft Word document with them. While working for the competitor, they claimed they invented new product ideas from scratch. But metadata in the Word document betrayed them. They recorded their “new” ideas in the very Word document they took from the first employer. The metadata in that document contained a code showing the document had been printed on a printer owned by the first employer. That code was the smoking gun; it showed that the plans were not created from scratch after the developers left the first employer. John H. Jessen, “Special Issues Involving Electronic Discovery,” 9 Kansas Journal of Law and Policy 425, 441 (2000).

* More recently, some Twitter users are surprised that sometimes Twitter associates GPS metadata with each tweet to show where the user was when the tweet was sent. The GPS data might be taken from the user’s smartphone. A forensic investigator could use that GPS metadata to show, for example, that a spouse was at the home of a paramour.

Metadata in 3D Printed Objects

It is into this historical context that 3D printing emerges. 3D printing technologies are diverse. But in principle a 3D printer can incorporate words, codes and numbers into the objects they create.

This web site demonstrates the incorporation of a unique serial number into each 3D printed object: http://www.gomboc.eu/site.php?inc=0&menuId=20 In that example, the serial number is visible to the eye. But serial numbers and other metadata could be hidden from view inside the object, or could be microscopic.

It is natural that the makers of 3D printer technology would embed serial numbers, time stamps, GPS markers and many other codes into objects. The codes can help with billing, shipping, quality control, inventory management and other operations.

3D printing is growing in popularity, and its growth will continue. 3D technology will make it easier and less expensive for anyone to design and print a custom object.

Metadata as Legal Evidence

Eventually, 3D printed objects will be evidence in official investigations, just as spreadsheets and digital photographs are today. When that happens, I anticipate that forensic investigators will be able to harvest metadata from those objects.

For example, suppose a California tax auditor wants to know whether an aircraft part was either designed or manufactured in the state of California. Clues to answer those questions might be embedded as metadata in the aircraft part itself.

Financial Auditor Gathers Cyber Evidencetag:typepad.com,2003:post-6a00e553eadb278834014e897fd1f3970d2011-06-30T12:46:23-05:002011-10-14T10:47:09-05:00Authenticated Record of What You See When You See It How should an auditor record his observations as he inspects evidence online? A multinational auditor in Hong Kong, BDO Limited, needed to inspect the online bank account of a publicly-held Chinese company China-Biotics Inc. (which is traded in the US)....Benjamin Wright

Authenticated Record of What You See When You See It

How should an auditor record his observations as he inspects evidence online?

A multinational auditor in Hong Kong, BDO Limited, needed to inspect the online bank account of a publicly-held Chinese company China-Biotics Inc. (which is traded in the US). The auditor needed to confirm how much cash the company possessed. But when the auditor used a web browser to access the online bank account identified by the company, the auditor became suspicious that the bank web page was fake! Michael Rapoport, “Auditors Sharpen Queries In China,” Wall Street Journal, June 29, 2011.

The auditor resigned on grounds that: “In connection with BDO’s review of the Company’s bank account through the Company’s e-banking system using the Company’s computer, BDO was directed by the Company to access a suspected fake website for the bank.”

Audit Evidence is Now Online

The evidence an auditor must examine is, increasingly, online.* The evidence, such as a web page, could show one thing now and something different an hour later. Auditors need more credible methods for capturing and authenticating what they see. Sure, they can make screenshots, but screenshots are cumbersome and don't capture the full interaction of the web.

The following video demonstrates an alternative. It shows how an auditor can capture a real-time screencast of his observations as he inspects web pages, mobile apps or e-banking accounts. It allows the auditor to bind his observations with simultaneous, eyewitness testimony as to the steps he was taking and his interpretation of what he was witnessing.

Notice the auditor legally signs the final video record (like an affidavit) so that it is authenticated for future use, even if the auditor himself is not available later to vouch for the record. See details.

Evidence from a Technology-Empowered Crowdtag:typepad.com,2003:post-6a00e553eadb2788340154331fa7a7970c2011-06-19T19:44:26-05:002011-08-09T10:15:36-05:00Corruption Deterrent Crowdsourcing can be a tool of investigation. An official investigation can gather evidence by urging large numbers of people to submit information such as photographs snapped with smartphones. First Example: The Controller of the City of Philadelphia has released an iPhone app (the "Philly Watchdog") to help citizens...Benjamin Wright

Corruption Deterrent

Crowdsourcing can be a tool of investigation. An official investigation can gather evidence by urging large numbers of people to submit information such as photographs snapped with smartphones.

First Example: The Controller of the City of Philadelphia has released an iPhone app (the "Philly Watchdog") to help citizens report waste, abuse, fraud or bribry involving city government. A citizen might, for example, use the app to submit a video of a city employee driving recklessly.

Second Example: When a post-hockey game riot (fires, looting, vandalism) broke out in Vancouver, B.C., many witnesses recorded the riot by photo and video. The police later asked that witnesses keep their pictures so that they may be available to help the police identify culprits. Several citizens started public web pages to collect the images and the comment of witnesses.*

Analysis

For the investigator, crowdsourcing is a force multiplier. Furthermore, it invests the public in the investigation, as well as the investigator.

In the two examples of crowdsourced investigations above, the investigator asks for citizens to send evidence directly to the investigator, so the investigator can review it in private. The public web sites in Vancouver can facilitate a more free-form exchange of information among witnesses. But those sites were created by citizens, not official investigators (the police).

Were an official investigator to open a web site or forum where citizens could post publicly-viewable photos and comments, two problems might arise. One, suspects identified on the site might claim that their privacy had been violated. Two, suspects might be defamed when citizens post false or unsubstantiated allegations against the suspects. Some pranksters would be tempted to post photoshopped images.

Anti-Surveillance Laws

Could recordings by citizens violate the privacy of those recorded? Anti-surveillance laws are complex and vary from one place to the next. Generally speaking in the US, the laws do not prohibit the recording of images of people in public view. But they sometimes forbid audio recording of private conversations. (Remember that video cameras often record both images and audio.)

What about recordings of the police themselves? There are many reports of police officers taking offense when citizens record them. But generally the courts have ruled in favor of citizens and held that anti-surveillance laws (wiretapping and eavesdropping laws) do not prohibit the recording of police officers on duty.

[Update: A New York prosecutor is taking a novel approach to the question whether police officers can be recorded. The prosecutor has indited a citizen for "obstructing government administration." The citizen, standing in her front yard, video recorded a night-time traffic stop as it unfolded on the street. A police officer told her to go inside her house because he did not feel safe with her presense. When she refused, he arrested her.]

Admissibility of Evidence

If a citizen violates law to capture evidence, it might not be admissible in court. In Connecticut, for example, electronic evidence gathered by illegal means is inadmissible. See the Connecticut rules of evidence, Sec. 52-184a states: "No evidence obtained illegally by the use of any electronic device is admissible in any court of this state."

Illegal gathering of evidence might include using deception in violation of terms of service for a web site or social media service. How might such deception occur? Here’s an example: a citizen impersonates another person on Myspace (contrary to the Myspace’s terms) so that a suspect will “friend” the citizen and then reveal incriminating details about himself.

Mobile Evidence Collectiontag:typepad.com,2003:post-6a00e553eadb2788340154328bb058970c2011-05-25T20:50:30-05:002011-10-16T20:36:37-05:00Dual-Camera Android Devices Tablets and smart phones are coming equipped with two cameras, one on the back and another on the front. These two cameras make it easy for an investigator to gather and authenticate audio-visual records about physical evidence -- such as graffiti on a fence or the appearance...Benjamin Wright

Dual-Camera Android Devices

Tablets and smart phones are coming equipped with two cameras, one on the back and another on the front. These two cameras make it easy for an investigator to gather and authenticate audio-visual records about physical evidence -- such as graffiti on a fence or the appearance of a murder scene.

The integrity of audio, video and photographic records is easy to enhance if the investigator's device enables multiple files to be attached to outgoing email. Android devices normally do allow multiple attachments to email.

Experience shows that records of email (especially email in an enterprise) are reasonably protected from tampering. This is one reason that email evidence is routinely accepted and relied upon in court.

Therefore, a pretty good technique for an investigator to collect evidence is to (1) make a video record with the back camera, (2) sign and authenticate the first record with a second video, made with the front camera, showing a statement of affirmation by the investigator and (3) send both videos as attachments to a single email addressed to multiple people.

Here is a demonstration:

The investigator can further enhance the integrity of records by speaking date and time directly into the videos made with the mobile device. The spoken date and time should approximately match the timestamp on the email to which the videos are attached.

Is the second video, which signs and authenticates the first video, required? Not necessarily. However, it is useful. It can be persuasive to a judge or jury, in that it visually and auditorily depicts an identified witness confirming a record and taking responsibility. It helps make the email and its attachments more like a formal, legal affidavit. An affidavit may be accorded special weight in an investigation or courtroom hearing.

Does Data Integrity Promote Privacy?tag:typepad.com,2003:post-6a00e553eadb2788340147e4411a31970b2011-04-13T13:30:08-05:002012-03-07T09:48:12-06:00Consumer Privacy Bill of Rights Some codes of privacy say that the holder of personal data must take steps to ensure the “integrity” or “accuracy” of the data. Why? Such a requirement seems to interrupt the privacy of individuals. Data Integrity Requirement Consider Section 303, the “Data Integrity” section of...Benjamin Wright

Consumer Privacy Bill of Rights

Some codes of privacy say that the holder of personal data must take steps to ensure the “integrity” or “accuracy” of the data.

Why? Such a requirement seems to interrupt the privacy of individuals.

Data Integrity Requirement

Consider Section 303, the “Data Integrity” section of the “Commercial Privacy Bill of Rights” announced April 12, 2011 by US Senators John Kerry and John McCain: “(a) IN GENERAL – Each covered entity shall attempt to establish and maintain reasonable procedures to ensure that personally identifiable information that is covered information and maintained by the covered entity is accurate in those instances where the covered information could be used to deny consumers benefits or cause significant harm.” (emphasis added)

This Section 303 would give the holder of data an affirmative duty to keep its information about an individual up-to-date. To fulfill that duty the data holder would need to pester or check up on – or search for or track -- the individual. Pestering, checking, searching or tracking seems antithetical to an individual’s desire to be left alone.

In this age of information, each individual has relationships with thousands of commercial entities – merchants, websites, clubs, charities, magazines, advertisers, social networks, mobile app operators, online game impresarios and many others. Technology is causing the number commercial entities having a relationship with any given individual to grow rapidly. The growth will continue as new technologies like social media are invented.

Let the Relationship Come to an End

Very often, after establishing the relationship the individual is no longer interested in it and just forgets about it. The individual desires to take no steps to terminate or opt-out of the relationship because those steps take too much time and attention. And very often today, the individual never hears about the relationship again. The individual and the commercial entity just leave one another along . . . which achieves the goal of privacy.

Until now, in the US, the commercial entity has no obligation to keep its records accurate and up-to-date.

Still, the commercial entity maintains a record of the relationship. The reasons for maintaining the record are numerous, including compliance with tax, warranty, customer service and consumer protection interests.

As a holder of the record of the relationship, the entity is ready to acknowledge the relationship and support it should the individual ever return. “Hello, Ms. Smith!” says the online game host. “Our records show that you have played cyberspace bingo with us in the past. We are so glad you have returned to test your skills and luck.”

Proactive Updating of Records

But look what Section 303(a) purports to do. It says the commercial entity must keep its records accurate, which means up-to-date. To do that, the entity must be proactive. It must do something, such as send a periodic email, or place a phone call, or conduct some kind of Internet search. Imagine the automated phone call that says, “We are calling you today to update our files.” Are not inquiries like this an annoyance and an encroachment on privacy?

Inaccuracy Promotes Privacy!

Oftentimes for an individual, outdated/inaccurate records actually promote privacy. If Ms. Smith changes her email address and fails to notify a merchant with which she has a relationship, then the merchant cannot bedevil her with emails offering “discounts” and “sales” and “membership privileges.”

Granted, Section 303(a) does have limitations. One of the limitations is that it only applies if the inaccurate information would cause the individual to be denied consumer “benefits.” Yet that is a meaningless limitation. Most any commercial entity will believe that the relationship it has with the consumer provides her “benefits.” Among other things, the relationship enables the entity to reach out (via email, text message, postal mail, Skype chat or who-knows-what-is-the-next-medium-of-communication) to Ms. Smith and urgently notify her that next week cyberspace bingo winners will be given Kewpie Doll avatars that they can post on their Myspace pages!